OFFWIN20, Lineage, Nilage malware

what exactly is OFFWIN20 malware ?

Sometimes also known as “Lineage” or “Nilage” or “Linage” among various AV’s … chinese backdoor trojan … man, many uniques and variants. Password stealer, remote access. Nasty little cuss. Hit its peak last year but still is making the rounds …

Shakes crystal ball… I dunno. :-
The naming conventions are less than standard, each vendor has their own way of doing it.
There was some talk at one time about joining with a group to standardize these but I’m not sure where it is at this point. Kevin or Melih would have to weigh in for an authoritative answer.

I got a pop-up message that OFFWIN20 malware stopped by Boclean. Location of startup file
c\program files\common files\microsoft shared\msinfo\MSkb6au.DLL and with option to remove it.
Should I remove it ?

First set CBO to keep a copy, then try to copy the .dll in it’s raw form to submit to Virus Total .etc.
Next, allow CBO to do what it’s there for… terminate with prejudice. :wink:

either way, c-BOC has killed the process, so you are safe… if it was me, i would scan the file at virustotal… i would also submit the file to comodo and hope to get a response from them, but i don’t know how good they would be at getting back to you…

i never allow any program to remove a file (or a regkey, if that is what it is flagging), without first checking things out to make sure that it is not a false-positive…

I ran a check through virustotal and indeed it is a variant of linage/nilage. Created a restore point and moved the file to an external drive. Restarted my pc and found system running normally with all programs functioning. Also found out that the file has been in my pc since 2-4-2006. Only Boclean detected it. What a great software. Thank you :BNC

And now you know why so many people swear by it. :wink:
You will want to disable then re-enable System Restore (if on your OS) to clear it out of any restore points you may have.

Edit: My brief understanding of Nilage is it’s a game password stealer, please correct me if I’m wrong.
You’ll want to check and change any passwords that may have been compromised.
Rednose pointed out to me the long term nature of this infection and the possibility you may have been compromised in other ways.
Best practice, once a box has been had, it’s best is to nuke and rebuild or restore from a known good image.
That said, if you decide to not nuke and burn it would be a good idea to scan the box with a good AV scanner as well as check that there are no open ports hanging in the breeze or other remote access programs lying dormant.

did you have any other av or antispyware running?


I have AVG Anti-Virus free edition, Ad-aware personal edition and Spypot - search & destroy. All these 3 were installed years ago and updated regularly. Comodo firewall was installed about a year ago and Boclean was installed about a week ago.

Interesting, and none of these caught the malware in your system?

Welldone Comodo Boclean :wink: Thats what it is about!